IPSEC pfsense<->cisco asa multiple phase2
-
Plase read https://blog.pfsense.org/?p=1546 chapter about IPsec.
Problems with rekeying with multiple phase 2 entries on a single phase 1 in some cases with IKEv1 – while many circumstances with multiple P2s on a single P1 work fine, there is an outstanding rekeying problem in some circumstances. Especially where you have several P2s on a single P1, we advise caution on upgrading at this time. Where both endpoints support IKEv2, changing from IKEv1 to IKEv2 will prevent this from being an issue. We have an open bug on this which we expect to have addressed in a future 2.2.1 release.
-
Thank you for your reply. Cisco ASA supports IKEv2. My tunnels are now IKE v2 but the situation is the same. The same responce from asa… I think the tunnels are more unstable.
-
The rekeying issue noted in that circumstance isn't what you're seeing there. IKEv2 should be a fine choice in that case.
You will have to delete the IKEv1 SA it previously negotiated under Status>IPsec. To make sure you're definitely getting a fully-clean start, stop the strongswan service, then start it. Or reboot if you want to make really, really sure.
-
the problem is solved!!
The IKEv2 is not the proper approach.
I don`t know why but if I add a second p2 pair with the [+]button - "based on this one" the problem occured.
If I add the rule manually all works fine. These p2-pair configurations looks absolutely identical but with the first one the communication is wrong and with the second one all works fine. -
Ah yes good catch that is a bug i am openeing a ticket about.
There are some ids generated on the back that if you use the based on this one it will reuse the id and that will break the config generation.
Thank you for the analysis.
To follow-up https://redmine.pfsense.org/issues/4349
-
Thank you tpetrov! I have spent half a days searching and attempting different options in order to bring up multiple P2's. I was about to build an old 2.0.3 version and replace my existing 2.2. What a headache. Thanks again.
-
I'm so happy to have found that thread ;D . I faced that issue since days and days without understanding, thinking I was too stupid to understand my errors, I was about to jump by the window :o
Thank you !!!
-
Is this issues fixed? I'm having problems connecting a PfSense box to a Cisco ASA.
Subnets are configured as additional Phase2 entries (I added them manually. I did use the "based on this rule" before).
Would like some confirmation this functionality actually works.Thanks
-
-
Use check box in P1: Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA.